Researchers noticed Lumma Stealer exercise throughout a number of on-line samples, together with PowerShell scripts and a disguised EXE installer, as evaluation revealed a parent-child relationship between these samples, all of which communicated with the identical C2 server.
The Lumma Stealer Trojan, noticed within the supplied pattern, employs superior strategies to exfiltrate delicate information from fashionable browsers and functions, which targets a variety of data, together with browser credentials, cryptocurrency pockets particulars, and person profiles from platforms like Steam and Discord, posing a big risk to person privateness and safety.
The gathering consists of three recordsdata: a PowerShell script (“Set off.ps1”), one other PowerShell script (“BMB1tcTf.txt”) considerably bigger in dimension, and an executable (“hhh.exe”), whereas SHA1 hashes are supplied for every file for identification and integrity verification.
Set off.ps1 is a PowerShell script that downloads a file (BMB1tcTf.txt) and executes it if the setting is professional, which seems to be malicious because it makes an attempt to obtain and execute one other file (hhh.exe).
The malware pattern, recognized as GHOSTPULSE, gathers system data together with working system particulars, {hardware} specs, loaded modules, and energetic processes after execution.
It creates a brand new course of utilizing extra.com (an MS DOS command to show textual content content material) and injects its payload utilizing the Course of Doppelgänging method after which drops two recordsdata: one named extra.com and one other with a random lowercase letter mixture filename.
Malware disguised as an AutoIt script (AutoIt3.exe) was delivered and contained a PNG picture embedded with a malicious payload utilizing the Ghostpulse method, the place the extracted payload signifies it might probably steal cryptocurrency and password-related information.
Based on Tianqiong sandbox analysts, Lumma Stealer is a Trojan that makes use of course of injection (Heaven’s Gate method) to execute 32-bit APIs in a 64-bit setting to steal system data, clipboards, browser passwords, and many others. and ship it to the C2 server.
It makes use of a multipart/form-data communication protocol with a novel boundary string to exfiltrate delicate information, corresponding to Firefox passwords, by establishing a session with a C2 server utilizing a particular lifeID and transmitting stolen information in a compressed format, demonstrating superior evasion strategies.